Synapse LDAP config, add Portunus search user, update flake

This commit is contained in:
Lyn Fugmann 2023-01-18 14:12:03 +01:00
parent 4813ec4811
commit c3134e1e58
Signed by: fugi
GPG key ID: 4472A20091BFA792
6 changed files with 83 additions and 44 deletions

View file

@ -26,6 +26,15 @@
"portunus": { "is_admin": false }, "portunus": { "is_admin": false },
"ldap": { "can_read": false } "ldap": { "can_read": false }
} }
},
{
"name": "search",
"long_name": "LDAP search group",
"members": ["search"],
"permissions": {
"portunus": { "is_admin": false },
"ldap": { "can_read": true }
}
} }
], ],
"users": [ "users": [
@ -34,6 +43,12 @@
"given_name": "admin", "given_name": "admin",
"family_name": "admin", "family_name": "admin",
"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] } "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
},
{
"login_name": "search",
"given_name": "search",
"family_name": "search",
"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] }
} }
] ]
} }

View file

@ -71,11 +71,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1670146390, "lastModified": 1673740915,
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "86370507cb20c905800527539fc049a2bf09c667", "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -87,11 +87,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1671215800, "lastModified": 1673800717,
"narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=", "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9d692a724e74d2a49f7c985132972f991d144254", "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -116,11 +116,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1670149631, "lastModified": 1673752321,
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "da98a111623101c64474a14983d83dad8f09f93d", "rev": "e18eefd2b133a58309475298052c341c08470717",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -29,9 +29,15 @@ in
members = [ "${ldapUser}" ]; members = [ "${ldapUser}" ];
}; };
sops.secrets."portunus_admin" = { sops.secrets = {
owner = "${portunusUser}"; "portunus_admin" = {
group = "${portunusGroup}"; owner = "${portunusUser}";
group = "${portunusGroup}";
};
"portunus_search" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
};
}; };
services.portunus = { services.portunus = {
@ -40,10 +46,16 @@ in
group = "${portunusGroup}"; group = "${portunusGroup}";
domain = "${domain}"; domain = "${domain}";
port = 8081; port = 8081;
ldap = { ldap = {
user = "${ldapUser}"; user = "${ldapUser}";
group = "${ldapGroup}"; group = "${ldapGroup}";
suffix = "dc=ifsr,dc=de"; suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# disables port 389, use 636 with tls
# `portunus.domain` resolves to localhost
tls = true; tls = true;
}; };
@ -60,9 +72,4 @@ in
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
80 # http
443 # https
];
} }

View file

@ -8,7 +8,6 @@ let
base_url = "https://${domainServer}:443"; base_url = "https://${domainServer}:443";
server_name = domainServer; server_name = domainServer;
}; };
"m.identity_server" = { };
}; };
serverConfig = { serverConfig = {
"m.server" = "${domainServer}:443"; "m.server" = "${domainServer}:443";
@ -21,21 +20,17 @@ let
''; '';
in in
{ {
# sops.secrets = { sops.secrets.matrix_ldap_search = {
# synapse_registration_secret = { key = "portunus_search";
# owner = "matrix-synapse"; owner = config.systemd.services.matrix-synapse.serviceConfig.User;
# group = "matrix-synapse"; };
# };
# };
services = { services = {
postgresql = { postgresql = {
enable = true; enable = true;
ensureUsers = [ ensureUsers = [{
{ name = "matrix-synapse";
name = "matrix-synapse"; }];
}
];
}; };
nginx = { nginx = {
@ -66,6 +61,7 @@ in
root = pkgs.element-web.override { root = pkgs.element-web.override {
conf = { conf = {
default_server_config = clientConfig; default_server_config = clientConfig;
disable_3pid_login = true;
}; };
}; };
}; };
@ -75,6 +71,10 @@ in
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
plugins = with config.services.matrix-synapse.package.plugins; [
matrix-synapse-ldap3
];
settings = { settings = {
server_name = domainServer; server_name = domainServer;
@ -89,17 +89,32 @@ in
compress = false; compress = false;
}]; }];
}]; }];
# TODO: ldap
registration_shared_secret = "registration_shared_secret";
}; };
# extraConfigFiles = [
# (pkgs.writeTextFile { extraConfigFiles = [
# name = "matrix-synapse-extra-config.yml"; (pkgs.writeTextFile {
# text = '' name = "matrix-synapse-extra-config.yml";
# ''; text = ''
# }) # `password_providers` is deprecated but `modules` is not supported yet.
# ]; password_providers:
- module: ldap_auth_provider.LdapAuthProvider
config:
enabled: true
# have to use fqdn here for tls (still connects to localhost)
uri: ldaps://auth.nix.fugi.dev:636
base: ou=users,dc=ifsr,dc=de
# taken from kaki config
attributes:
uid: uid
mail: uid
name: cn
bind_dn: uid=search,ou=users,dc=ifsr,dc=de
# TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
bind_password: portunus_search
# bind_password_file: ${config.sops.secrets.portunus_search.path}
'';
})
];
}; };
}; };
@ -113,7 +128,7 @@ in
path = [ pkgs.sudo config.services.postgresql.package ]; path = [ pkgs.sudo config.services.postgresql.package ];
# create database for synapse. will silently fail if already exists # create database for synapse. will silently fail if it already exists
script = '' script = ''
sudo -u ${config.services.postgresql.superUser} psql <<SQL sudo -u ${config.services.postgresql.superUser} psql <<SQL
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"

View file

@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str]
mediawiki: mediawiki:
postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@ -24,8 +25,8 @@ sops:
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-17T17:42:18Z" lastmodified: "2023-01-17T22:50:14Z"
mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str] mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str]
pgp: pgp:
- created_at: "2022-11-18T16:37:48Z" - created_at: "2022-11-18T16:37:48Z"
enc: | enc: |

View file

@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3E
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
mediawiki: mediawiki:
postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@ -24,8 +25,8 @@ sops:
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-17T20:37:05Z" lastmodified: "2023-01-17T22:26:52Z"
mac: ENC[AES256_GCM,data:zRn9Y43k9jEYmI9gU5vKPAEcG0N+O7ILFisyttXDHbdaiYJfAWu8556Hkofq1hS6WByB/ZE+BZO9vJ9JFzGxodCDeOTF0XLmFeb5frL7Vb9u2MXvT+z640kwA9VJUoLligoqmVt4O+ba3Tr+wU1qy85vLxyDFeEIj6ATo68E8b0=,iv:LaB6cJx5oXGVNNWvfwIievTm8KmVCAJ1j6RVOwFsyBU=,tag:3H7PnmpU65ub6ysVLsB3bQ==,type:str] mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str]
pgp: pgp:
- created_at: "2022-11-18T16:37:58Z" - created_at: "2022-11-18T16:37:58Z"
enc: | enc: |